As a reminder: as of the current state of the art, 40 years is nowhere near the right time horizon for cracking a wallet that was generated in a secure way. Even Tianhe-2, the most powerful supercomputer in the world, would take hundreds of thousands of years.

I mean, it's still an interesting hypothetical - plays into a lot of classic economic allocation questions - but I want to make sure you realize that it's not a realistic one, for the moment.

Even if it were implemented, it would create a mess if some nodes pruned a transaction while others did not. Also, the inputs of fully pruned transactions could be double spent.

Nah, see, the whole point of OP_RETURN is that unless you're bootstrapping new clients you don't actually need to store it. If pruning is implemented, you're not pruning the transaction - you're pruning the output. The coins that were used as inputs are still used up in your local state.

Of course, that's easiest when you're taking the approach of using the blockchain for bootstrapping only, and just using the UTXO set for day to day transactions. If you want to store the blockchain too, you need some extra mechanism if you want to support redacting OP_RETURN data blocks. You could theoretically do it with ZKPs, though - basically attaching a proof that "for transaction X, I blotted out their data, but I totally know an input that still makes that transaction hash to its txid".

All that said, though, I feel like we should cross this bridge when we come to it. Sound technical solutions exist, at least once you decide that you want to delete a particular OP_RETURN output. But there's no point in implementing them if this is still just a theoretical attack.

The OP should consider that his computer contains a sufficient amount of '1's and '0's which could all be simply rearranged somewhat to form 1000s of child porn images - ON HIS COMPUTER. But those '1's and '0's on his computer, just because they are presently out of order, nevertheless do constitute child porn. He is clearly a pig. That is right, your computer is loaded with child porn!!! The cops are going to find you and arrest you for this and you will go to jail for life.

That's a little disingenuous. OP_RETURN data blocks are opaque binary data, and every image in a commonly used image format begins with a preamble that in practice make the interpretation of the blob pretty unambiguous.

Rethink the IP reputation protocol so that "known proxy" addresses are not held to the same standard as nodes themselves. This is a quick fix but is problematic in that spammers can then get additional leeway by running an apparent Tor exit node.

Users who want to run "pure Tor" should run their nodes as a hidden service and connect primarily to hidden service peers. Users who want to support the network and are not worried about being identified should run their nodes both as a hidden service and as a "normal" plaintext peer. This way, the visible IP addresses are not Tor exit nodes but actual Bitcoin nodes which should be able to pre-filter bad content before the network at large has to see it (and thereby avoid getting unknowingly banned out by an attacker). The downside here is that it requires overcoming a network catch-22; until there are enough real nodes visible as both Tor hidden services and as IP addresses, the few Tor hidden service nodes existing today ca be easily blackholed.

This seems to me like it's basically what will become of the altcoin sea once trust-free cross-chain trading gets built into more clients. The "competing networks" thing is already going on there, with altcoin devs implementing new features that sometimes get back into Bitcoin and sometimes don't. And enough of the altcoins are Scrypt-based that they can share hashpower via merged mining, so the trade-offs are really based on features rather than chain hashpower security.

Of course, the exchange rate between BTC and LTC and BQC and all the rest is floating, so you can't just have coins from network A be automatically the same "value" as coins from network B. And that's as it should be; different "networks" have different properties, so their currency will be valued differently by the market, and any attempt to enforce an exchange rate by developer fiat is just going to push the real exchange rate underground.

An effective attack on the crypto - partial preimage attacks on 2SHA256, preimage attacks on RIPEMD160, forgery attacks on secp256k1. In this situation, the ledger becomes unusable and it becomes a game of he-said she-said to get a "clean" snapshot for forking to sounder algorithms.

A 75%+ hashpower vandal able to maintain that position for months. With a clean supermajority a bad actor can keep parallel blockchain branches within 6 confirms of each other (thereby keeping the ledger from converging and making it unusable) as long as they maintain that supermajority.

System failure of the Internet. Bitcoin is useless without the gossip network; we've discussed how to theoretically fail over to HAMs but I doubt that'll ever get built.

I think Shamir User A dumping their 2.8MBTC would push us pretty low, but it'd be temporary. I think the development of a significantly better Bitcoin-like system would cause most people to jump ship, but there'd be folks left who'd keep swapping them as collectibles. I think successful, high-profile reorg attacks ("51% attacks") would shake confidence in the system to its core, but that's a wound that the network can heal by changing its behavior. Those are all scenarios that could conceivably push us below the $2 wall that I've (colloquially) referred to as impenetrable, but zero? Zero is a long way down; even those debased Zimbabwe Dollars go for a couple bucks a bill just for the novelty value. Bitcoins becoming worthless would imply, at least to me, that something had changed such that ownership itself couldn't be established anymore.

As circumstantial evidence supporting this theory, it's worth pointing out that the drops on Bitstamp at least seem to be correlated to very large single trades:(The time per candle is 1 minute, which is about as fine-grained as bitcoincharts will go.)

that's quite a bit of money.. it would explain why the price has crashed yesterday-ish. it seems bitcoin's market cap is not nearly big enough to absorb this kind of action.

So you are saying that Bitpay sold the coins in bitstamp the moment they got the order? I don't think that's the way things work.

i'm not 100% certain how the exchanges work, but i'm assuming it works under supply/demand economics. if $1.6 million in bitcoin flooded the supply side, then prices will end up dropping if demand is roughly the same.

This would have a negative effect on prices, however it is likely a small transaction when compared to total exchange volume. I would also assume that bitpay would likely sell their coins on multiple exchanges to avoid impacting the price on just one exchange, creating the opportunity to arb.

The 24-hour volume of the top three exchanges is about $8 million on an average day. Even spread across all three markets, a $1.6 million sell is 20% of that - a huge ratio for a single trade.

If the correlation is real, that would mean more merchants accepting bitcoin is bad for the price since the merchant probably won't hold the coin for long.

Short-term bearish, but vital in the long term to the Bitcoin economy's success.

Every time another merchant supports BTC payment via instant-cash-out, it increases the sell pressure, yes. But it also makes bitcoins more useful as current money. Which means that the more merchants support BTC payment, whether through instant-cash-out or not, the less need there is for the next merchant to use instant-cash-out instead of just using the bitcoins to pay their suppliers.

Instant cash out is a necessary stepping stone. That the price would be depressed during this phase, especially in the case of big ICO purchases, is not a mystery.

But why would it stop at $2/coin? Seems to me that anything so catastrophic would probably just take it down to $0, make it worthless entirely. But maybe I am approaching this wrong.

Basically my contention is that there is a subset of the current user population which would stick around for various (ideological or speculative or practical) reasons even if a high-profile double-spend were to occur, and that that subset is >= the number of true believers at the end of 2011 (when we were at the nadir of the post-bubble bear market and there was every reason to believe that the bitcoin experiment was just a flash in the pan). Since the price was unable to push below the $2/coin pricepoint at that time, my thought goes that it would not be able to push below that point in this hypothetical future scenario either.

I would be willing to stake quite a bit on the supposition that it will still exist, that blocks will still be coming at about 10 minutes between, and that the price will be above $2/coin. I consider those to be safe suppositions, since the only danger I can see there is if someone was able to partial preimage attack 2SHA256, preimage attack RIPEMD-160, or break our ECDSA curve. Even a miner revolt - often called out as a doomsday scenario - seems unlikely to me to push the price back below $2/coin, taking into account the state of the BTC economy the last time we were at that price compared to the infrastructure in place today.

More than that, I can't say. A lot can happen technologically in five years.

I'd not buy any now for five-year layaway, but that's mostly due to issues of variance comparing poorly to the size of a minimal useful bet. I've got my stash of old money; that's enough for me right now.

Hmm. People join up with pools primarily to reduce their variance; any old chip can theoretically find a block, but most people would rather have $1 for "sure" than a one-in-a-million chance to win a jackpot, even if the jackpot is paying a little better than the "sure" thing on the game-theoretical average. Faster blocks can reduce this pain point, but not eliminate it; unless you're fundamentally changing the proof of work mechanism, you'd need something like a thousand blocks a second to sufficiently level things out for a "citizen" miner. And faster blocks have staleness problems, too.

2) Flooding networks with peers that look unrelated but actually aren't. Tor has the same problem, so I'm interested in solutions that generalise to all P2P networks. For these proofs of propagation etc are irrelevant. For Bitcoin it might be possible in every case to come up with fancy tricks based on proof of work, though remember someone has to actually write the code for all of these ideas! But I don't see how to avoid the issue with Tor. There just isn't any reasonable way that the Tor directory operators can know if nodes are related today, and if they are, Tor fundamentally breaks. Given that GCHQ has been tasked with breaking Tor (they're thinking of the children you see), advanced sybil attacks on it seem more likely than not in the near future.

Hrm. The problem is that even if the network decided to ask for passport blind-signing, that solution doesn't work for this use case because the attacker can issue passports.

On the other hand, it's a thought. If you had to sign with an identity that was fundamentally difficult to create due to some other consideration...

Lets be honest peter we all know that no one is going to use the openPGP code, bitpay has already come out in support and that will make their merchants use that and coinbase (which I love and have great support for) is going to use it since Gavin is on the board. I mean to implement openPGP code would waste my funds and my time.

If PGP is a nonstarter, what would your preferred solution be to the problem which SSL integration purports to address?

It's funny. Five years later, and we're back to the ancient issue of Sybil resistance. Nakamoto managed to solve that for "voting on the history" applications, but now the gossip network itself is at risk.

Isn't that odd? Proof of work works. Is it really that difficult to say something like, okay, if you can hit a target that's some preset fraction of the network difficulty, you get to play? Or is there some other issue there, that would prevent that approach from working?

I watched the whole video and he did say it was required. So I doubt you watched the video. Also it is anonymous not one is saying different, we are just saying why do we need government ids to use our nodes. He didn't say at all that you will be content to be defrauded, he is saying use it or don't use bitcoinj or bitcoin-qt. You clearly need to use your listening skills much more, he used that as example he never said you can use one or the other.

So the thing about these proposals is that they're all about the gossip network, not the blockchain. And the thing about the gossip network is that mediators and intermediaries are easy to create. A Bitcoin gossip network that only allows people with passports to be a full node is worrisome to me too. But - and this is key - all it takes is one authenticated network user who then allows non-passported connections for anyone to avoid this. And there will be plenty of people (you are one example!) who will be unable/unwilling to create a passport proof, so that gossip network will have plenty of peers and we can continue as before.

His tor proposal was to stick in tor in his bitcoinj, guess what I already use tor in the way he describes so he is just making it easier for people that probably have no clue what tor is or how it protects you on the bitcoin network/internet.

Good. Anything that can increase the default anonymity of the system is a win anyway, as far as I'm concerned. If these people don't even know what is a "Tor", they'd never have used it, and the whole network suffers from the leak of their information. Tor by default is herd immunity. Not revolutionary, but a good idea.

What is the correct and fair way to remove Mike Hearn from the Bitcoin development?

If you mean bitcoind development, it would be by convincing the other developers to no longer accept his patches, and convincing the community to not use his patches either. The critical matter, as always, is one of trust.

Here's a good start: why not make the argument in this thread, right here and now, as to what is so "out of line" about "Mike's actions" that the community ought to reject him/his work?